The Chinese state-sponsored cyber espionage group known as Salt Typhoon has launched a series of attacks targeting over a thousand Cisco devices worldwide. These attacks, which occurred in December 2024 and January 2025, have compromised telecommunications companies, internet service providers (ISPs), and universities across six continents.
Salt Typhoon, also referred to as RedMike, Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, has a history of targeting major organisations. Previously, it was linked to cyber intrusions involving US telecommunications providers such as T-Mobile, AT&T, and Verizon. Reports suggest that the group managed to intercept law enforcement wiretaps and monitor US presidential campaigns.
The recent attacks exploited two known vulnerabilities in Cisco IOS XE devices. The first, CVE-2023-20198, is a critical flaw with a CVSS score of 10/10, allowing attackers to create administrative local accounts without prior authorisation. The second, CVE-2023-20273, is a high-severity vulnerability with a CVSS score of 7.2, enabling attackers to execute malicious commands with root privileges.
Using these vulnerabilities, Salt Typhoon established Generic Routing Encapsulation (GRE) tunnels to maintain persistence within compromised systems. These tunnels, a legitimate network feature, were repurposed to enable data exfiltration while evading detection by firewalls and security monitoring tools.
Although this campaign has been traced back to December 2024, experts believe this may not be the first time Salt Typhoon has used Cisco devices for cyber espionage.
In September 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) issued defensive guidance for communications providers, implying that Cisco devices had been exploited, though specific details were not disclosed.
Cisco has responded to the reports, stating that while they are aware of the claims, they have yet to validate the ongoing exploitation of their devices. A company spokesperson reiterated that Cisco had issued a security advisory in 2023 urging customers to apply necessary software patches. Additionally, in October 2023, Cisco advised all users of IOS XE devices to disconnect them from the internet due to active exploitation of the vulnerabilities.
The persistence of these cyber threats highlights the importance of timely software updates and adherence to security best practices. Organisations using Cisco devices are strongly advised to apply the recommended patches and review their network security measures to mitigate potential risks.
